🕵️ 𝗜𝗣 𝗰𝗵𝗲𝗹𝗼𝘂 𝗱𝘂 𝗷𝗼𝘂𝗿
🕵️ **Fiche : "L'Encodeur de Shanghai"**
📍 180.97.221.123 | AS4134 Chinanet 🇨🇳
🎯 3 frappes : CVE-2021-41773 & 42013 (Apache path traversal) + PHPUnit RCE
🔤 Double-encodage URL `%%32%65` pour contourner les filtres — créatif, mais notre honeypot lit le base16 aussi
🤖 UA: `libredtail-http`
Path to `/bin/sh` refusé. Dommage.
#honeypot #infosec #threatintel
🍯 Détecté par le honeypot CyberVeille.ch
🗺️ https://cyberveille.ch/map/
2026-06-12 RDP #Honeypot IOCs - 1230 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
134.199.198.215 - 510
168.144.29.9 - 510
159.223.238.255 - 81
Top ASNs:
AS14061 - 1101
AS10439 - 33
AS396982 - 27
Top Accounts:
hello - 1104
(empty) - 27
Administr - 21
Top ISPs:
DigitalOcean, LLC - 1101
CariNet, Inc. - 33
Google LLC - 27
Top Clients:
Unknown - 1230
Top Software:
Unknown - 1230
Top Keyboards:
Unknown - 1230
Top IP Classification:
hosting - 1164
Unknown - 54
hosting & proxy - 6
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
2026-06-12 RDP #Honeypot IOCs - 820 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
134.199.198.215 - 340
168.144.29.9 - 340
159.223.238.255 - 54
Top ASNs:
AS14061 - 734
AS10439 - 22
AS396982 - 18
Top Accounts:
hello - 736
(empty) - 18
Administr - 14
Top ISPs:
DigitalOcean, LLC - 734
CariNet, Inc. - 22
Google LLC - 18
Top Clients:
Unknown - 820
Top Software:
Unknown - 820
Top Keyboards:
Unknown - 820
Top IP Classification:
hosting - 776
Unknown - 36
hosting & proxy - 4
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
2026-06-12 RDP #Honeypot IOCs - 410 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
134.199.198.215 - 170
168.144.29.9 - 170
159.223.238.255 - 27
Top ASNs:
AS14061 - 367
AS10439 - 11
AS396982 - 9
Top Accounts:
hello - 368
(empty) - 9
Administr - 7
Top ISPs:
DigitalOcean, LLC - 367
CariNet, Inc. - 11
Google LLC - 9
Top Clients:
Unknown - 410
Top Software:
Unknown - 410
Top Keyboards:
Unknown - 410
Top IP Classification:
hosting - 388
Unknown - 18
hosting & proxy - 2
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
🕵️ 𝗜𝗣 𝗰𝗵𝗲𝗹𝗼𝘂 𝗱𝘂 𝗷𝗼𝘂𝗿
🕵️ Fiche : "L'Apache Hunter de Chinanet"
📍 180.97.221.123 | 🇨🇳 AS4134
💥 3 frappes : CVE-2021-41773 + CVE-2021-42013 (path traversal vers /bin/sh) + CVE-2017-9841 (PHPUnit RCE)
🛠️ UA : libredtail-http
Double-encodage UTF-8 pour contourner les filtres… classe. Notre honeypot dit merci pour les logs ! 🍯
#honeypot #infosec #threatintel #apache
🍯 Détecté par le honeypot CyberVeille.ch
🗺️ https://cyberveille.ch/map/
2026-06-11 RDP #Honeypot IOCs - 351 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
134.199.198.215 - 228
157.10.44.143 - 48
193.169.194.14 - 21
Top ASNs:
AS14061 - 228
AS150862 - 48
AS396982 - 27
Top Accounts:
hello - 276
(empty) - 24
Test - 12
Top ISPs:
DigitalOcean, LLC - 228
HAINAMTECH - 48
Google LLC - 27
Top Clients:
Unknown - 351
Top Software:
Unknown - 351
Top Keyboards:
Unknown - 351
Top IP Classification:
hosting - 261
Unknown - 87
hosting & proxy - 3
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
2026-06-11 RDP #Honeypot IOCs - 234 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
134.199.198.215 - 152
157.10.44.143 - 32
193.169.194.14 - 14
Top ASNs:
AS14061 - 152
AS150862 - 32
AS396982 - 18
Top Accounts:
hello - 184
(empty) - 16
Test - 8
Top ISPs:
DigitalOcean, LLC - 152
HAINAMTECH - 32
Google LLC - 18
Top Clients:
Unknown - 234
Top Software:
Unknown - 234
Top Keyboards:
Unknown - 234
Top IP Classification:
hosting - 174
Unknown - 58
hosting & proxy - 2
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
2026-06-11 RDP #Honeypot IOCs - 117 scans
Thread with top 3 features in each category and links to the full dataset
#DFIR #InfoSec
Top IPs:
134.199.198.215 - 76
157.10.44.143 - 16
193.169.194.14 - 7
Top ASNs:
AS14061 - 76
AS150862 - 16
AS396982 - 9
Top Accounts:
hello - 92
(empty) - 8
Test - 4
Top ISPs:
DigitalOcean, LLC - 76
HAINAMTECH - 16
Google LLC - 9
Top Clients:
Unknown - 117
Top Software:
Unknown - 117
Top Keyboards:
Unknown - 117
Top IP Classification:
hosting - 87
Unknown - 29
hosting & proxy - 1
Pastebin links with full 24-hr RDP Honeypot IOC Lists:
Bad API request, invalid api_dev_key
Honeypots Set the Trap Watch the Attackers and Know When You Are Standing in One Put a server online with port 22 open and it gets its first login attempt within minutes, not days. Automated scanners sweep through IPv4 addresses around the clock, and anything with an open port gets added to a target list almost immediately. A honeypot is built to be found exactly like this, because getting found is the point. A honeypot is a system that looks like a real target but contains nothing of value. It sits on a network, opens its ports, and waits. When someone scans an address range and finds an open port, they interact with it. That interaction gets logged. The attacker believes they found something real. Meanwhile there is now a record of their IP address, what credentials they tried, and what commands they ran. Capturing credentials is useful, but what happens in the first thirty seconds after a successful login tells far more about how automated attacks actually operate. Many automated bots run a system fingerprint command immediately after gaining access. Right after that, sanity checks to detect whether they are inside a honeypot. When those pass, the download phase begins. On a well-configured Cowrie setup every file that comes in gets saved automatically for analysis. For recognizing a honeypot on a pentest: filesystem inconsistency checks, response timing patterns, SSH banner mismatches, and three ways to use Shodan including the Honeyscore tool that returns a probability score in seconds without touching the target. → Deploy Cowrie on a cheap throwaway VPS. Leave it running for 24 hours, then open the log and read what came in. The credential combinations and first commands tell you exactly what automated attack traffic looks like in practice. → Install Endlessh on any internet-facing server you run. Move real SSH to a non-standard port, point Endlessh at port 22, and let it absorb scanner traffic. It costs nothing in resources and ties up automated scanners for hours. → On a pentest, when something feels slightly off about a target, run the filesystem checks, SSH banner verification, and Shodan lookup before doing anything else. Those three checks take a few minutes and tell you whether you are working against a real target or someone watching everything you do. The course covers the full attack chain: OSINT and reconnaissance, network scanning and enumeration, exploitation, post-exploitation, persistence, and network pivoting, all with hands-on labs. → https://lnkd.in/ebs6AY7K Research & writing: Jolanda de Koff | HackingPassion.com Sharing is fine. Copying without credit is not. Read the full breakdown: → https://lnkd.in/eEy3JwR6 #EthicalHacking #Honeypot #CyberSecurity #PenetrationTesting #InfoSec #HackingPassion #Cowrie #NetworkSecurity
🕵️ 𝗜𝗣 𝗰𝗵𝗲𝗹𝗼𝘂 𝗱𝘂 𝗷𝗼𝘂𝗿
🕵️ Fiche : "Le Path-Traversal Tourist de Chinanet"
🌐 180.97.221.123 | AS4134 🇨🇳
💥 CVE-2021-41773 & 42013 (Apache) + CVE-2017-9841 (PHPUnit)
🎯 Double encodage %%32%65 pour atteindre /bin/sh — créatif, mais notre honeypot a lu la même RFC.
🤖 UA: libredtail-http (discret comme un éléphant en CGI-bin)
Score : 3 frappes, 0 shell.
#honeypot #infosec #threatintel
🍯 Détecté par le honeypot CyberVeille.ch
🗺️ https://cyberveille.ch/map/
Bobe'bot on security
RDP Snitch
robrich